Security Services
Security Overview:
Amazon GuardDuty
Incident detection service in AWS that monitors the most important logs in AWS.
Can add your own IOC IP addresses to alert on.
TA can add their IP address to be ignored in alerts (defense evasion)
GuardDuty collects it logs automatically:
AWS CloudTrail logs
Amazon Virtual Private Cloud (Amazon VPC) flow logs
Amazon Route 53 DNS logs
(Optional) EKS Audit logging
(Optional) Lambda protection
(Optional) Malware protection in storage
(Optional) RDS protection
(Optional) Runtime protection for ECS and EC2
(Optional) S3 protection using S3 logging
Things to know
GuardDuty is regional needs to be enabled in each region and in every account you use
Use Security Hub to centralize findings
Collection of logs is out-of-band and does not interfere with existing configuration
Doesn’t work on historical logs only forward in time IR use case
GuardDuty is a very good indicator for incidents in AWS
Amazon Inspector
What:
Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for software vulnerabilities and unintended network exposure.
How Inspector automatically scans for vulnerabilities in:
EC2 instances works on Windows and Linux
Container images in the container registry
AWS Lambda functions
Uses Amazon Systems Manager (SSM) to perform scanning on instances
Scans for vulnerabilities in the operating system as well as the software packages used
Lambda scanning also allows for scanning of code for potential vulnerabilities
AWS Detective
Data sources collected for Amazon Detective:
AWS CloudTrail logs
Amazon Virtual Private Cloud (Amazon VPC) flow logs
For accounts that are enrolled in GuardDuty, Detective also ingests GuardDuty findings
(Optional) Amazon EKS Audit Logs
(Optional) AWS Security findings from Security Hub
AWS Security Hub
AWS Security Lake
Last updated